The BYOD horse is out of the barn: What now inside counsel?

More and more organizations around the globe permit employees to bring their own mobile devices to work so they can access company data from any location, at any time with any device. The bring your own device (BYOD) phenomenon started gaining traction around 2007 when executives and board members brought the first personal smart phones and tablets into the corporate workspace. Since then, the BYOD trend has skyrocketed as employees began to expect the same kind of flexibility, and employers saw increased productivity by allowing employees to use mobile devices both at work and home.

Employee and employer attitudes

Cisco recently revealed that 95 percent of IT and business leaders surveyed in the United States say their organizations permit employee-owned devices in some way, shape or form. The survey goes on to cite employees’ desire to use their favorite device anywhere, and the ability to conduct personal and work activities any time as the top reasons driving employee BYOD enthusiasm. This enthusiasm might be better characterized as a perceived right to use mobile devices in the workplace, considering more than 33 percent of employees between ages 20 and 29 said that they would break any anti-BYOD rules to use their personal devices.

Despite years of unbridled BYOD proliferation, some employers are beginning to question whether or not the financial benefits of BYOD are sustainable. For example, technology analyst Gartner states that while BYOD programs can reduce costs, they typically do not. Gartner reasons that as “businesses look to drive more capability to the mobile device, the costs of software, infrastructure, personnel support and related services will increase over time.”

On the other hand, some companies claim implementing a BYOD policy can save organizations big bucks, and they have the data to support their position. For example, VMware claims to have saved $2 million by switching to a BYOD policy that required employees to purchase their own devices and rely on their own mobile providers for customer support.

Does in-house counsel need to play the role of bad cop?

Despite the potential cost savings of BYOD, many lawyers fear that allowing employees to use personal devices for business purposes will lead to increased data privacy, ownership and security challenges. That sentiment often leaves in-house attorneys in the common, but unenviable, position of being the lone dissenter among other business stakeholders trying to save the organization money by instituting a BYOD approach.

The reality is that alternative approaches present many of the same problems as BYOD, so the risks and benefits of any mobile approach must be considered. For example, employers that do not allow employees to use their own personal devices for work commonly provide their employees with company-owned devices as an alternative. Not surprisingly, employees almost always use those devices for both personal and business reasons (whether permitted or not), thereby opening up many of the same legal and data security risks.

An employer-owned device policy may reduce the risk of privacy-based objections by employees when access to devices and their contents is required by the employer. However, those risks are not eliminated by an employer-owned policy and risks related to data loss and theft still exist regardless of device ownership. That means any incremental risk reduction gained by an employer-owned device policy must be balanced against the amount of money that could have been saved by implementing a BYOD policy. In other words, in-house counsel must understand that device ownership (employee vs. employer) is not the only factor that should be considered when determining a mobile device usage policy.

Today’s reality is that employees expect to be able to use mobile devices for business and personal use regardless of whether the device is owned by the employer or the employee. Similarly, many employers believe that providing employees with the flexibility to use mobile devices for business and personal use increases worker productivity. Fortunately for in-house counsel, new mobile technologies combined with good internal policies are providing organizations with the flexibility to implement the mobile approach they think makes the most financial sense without taking on undue risk. In other words, today’s in-house counsel is empowered to become part of the organization’s solution and step away from playing the role of the bad cop when it comes to implementing a mobile device strategy.

Getting started

Although decisions about whether and how to deploy mobile devices are normally left to corporate IT and IT security departments, addressing the fallout resulting from mobile device usage typically rests on the shoulders of in-house counsel. Many times these problems could have been avoided or at least minimized with proper planning and input from the legal department.

Unfortunately, the legal department is often overlooked as a stakeholder in business decisions related to technology investments. That is why in-house counsel must proactively seek to understand and address the potential risks and costs associated with mobile device usage sooner rather than later – the precise focus for the remainder of this three-part series.

The next article in this series will highlight some of the legal risks related to allowing mobile devices into the workplace so that counsel can begin thinking about how to guard against those risks. It will also provide insight into some of the legal and financial consequences of failing to establish a strategy for guarding against mobile threats. The final article will provide tips for implementing procedures, policies and technologies to help protect organizations from mobile risks without unnecessarily restricting employees who want the freedom to use the mobile device of their choice when and where they choose.

Contributing Author

Matt Nelson

Matthew Nelson is an attorney and legal technology expert with Symantec who has spent the past 15 years helping organizations address a wide array of...